Business Impact Analysis Survey: Long Version Template

Objectives

Due to HIPAA Security Rule regulations, the organization must implement Contingency Planning Practices to ensure the protection of ePHI (electronic Protected Health Information). In order to accomplish this undertaking, there are several steps that organization will be completing to identify critical business functions, processes, and applications that process ePHI and to understand the potential impact to the business if a disruptive event occurred.

The first step of implementing the Contingency Program for the organization is to conduct a Business Impact Analysis (BIA). This questionnaire will help each business unit identify their critical business functions and recovery requirements as well as estimating the impact of a disaster (or prolonged outage) to the business unit. Once the survey is completed, the BIA Project team will review the data, analyze and create a prioritized recovery strategy to present to senior management.

For the purpose of this BIA, answer each question based on the “worst-case scenario”. This means your workplace and all records; files and equipment in it are inaccessible. The priority of this questionnaire is to identify any business process or application that currently contains ePHI. However, please answer all questions regardless of ePHI status. By completing all questions to the best of your knowledge, a recovery strategy that best meets the need of the business can be established.

Some questions will be directly related to a specific process where as other questions are of the business unit in general. Some sections contain an additional “Notes” area to amplify or explain your responses. While this is not a requirement, it can be useful in helping the Project Team understand the nature of your business unit operations.

Table of Contents: Business Impact Analysis Survey Template

OBJECTIVE

GENERAL INFORMATION

Respondent Information

Business Unit / Department Information

ePHI (electronic Protected Health Information)

Service Providers

Business Unit Vulnerability

Recovery Complexity

PROCESS INFORMATION

Process Identification

Process Criticality & Frequency

Processing Periods

Process Unavailability Impact

Process Deferrable

Manual Work – Around Procedures for Processes

Alternate Facilities / Work-load shifting

Backlog Work

DEPENDENCIES

Internal Received Dependencies (Same Company)

Internal Sent Dependencies (Same Company)

External Received Dependencies (Outside Provider)

External Sent Dependencies (Outside Provider)

REQUIRED RESOURCES

Software Resources

Specialized Supplies and Clerical Type Resources

Equipment Resources

Manpower Resources

Reports

POTENTIAL IMPACT

Financial Impact

Customer & Operational Impact

Legal & Regulatory Impact

To view a specific section of this document, please contact us at Bob@training-hipaa.net or call us at (515) 865-4591.